coned.com customer site bill access broken on non Release builds

RESOLVED WORKSFORME

Status

Tech Evangelism
Desktop
RESOLVED WORKSFORME
4 years ago
a year ago

People

(Reporter: Marc Auslander, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

4 years ago
This may not be a firefox bug but a coned problem but maybe you can get their attention.

There new on line bill system will not display a list of bills, producing a useless error message instead.

web console shows:
postedge.documentmailbox.com : server does not support RFC 5746, see CVE-2009-3555

The site works on fireforx 30 and on google chrome.

Updated

4 years ago
Component: General → Desktop
OS: Windows 7 → All
Product: Firefox → Tech Evangelism
Hardware: x86_64 → All
Version: 33 Branch → unspecified
(Reporter)

Comment 1

4 years ago
First question - is this even the problem.  The site is broken - it's not just the console message I'm concerned about.  Has enforcement been turned on?  If not I'll try to see what else is different.

Since this is inside the customer bill pay system, there is no way for non coned customers to work on it.
It's not a bug of Firefox, rather a security issue of the site. That's why this is triaged as a Tech Evangelism product. If you are a customer of that service, please contact the site to get it fixed.
(Reporter)

Comment 3

4 years ago
Please pay attention.  The site works on fx30 and DOES NOT work on fx33.  I probably mistakenly thought that the rfc 5746 was the cause.  But if this is just a warning message, then the bug is elsewhere.  I need help in tracking it down.
Summary: coned.com does not support rfc 5746 → coned.com customer site bill access broken on fx 33

Comment 4

4 years ago
(In reply to Marc Auslander from comment #3)
> Please pay attention.  The site works on fx30 and DOES NOT work on fx33.  I
> probably mistakenly thought that the rfc 5746 was the cause.  But if this is
> just a warning message, then the bug is elsewhere.  I need help in tracking
> it down.

The first step would be figuring out when it regressed using mozregression.
(Reporter)

Comment 5

4 years ago
I'm afraid what ever is going on is bizarre. 

Facts:

firefox 30 release works correctly
firefox 31B2 - latest beta works correctly
nightly as far back as one of the version 28 nightlys fails!
the last nightly for version 31 built 4/28 fails
aurora 32A fails

Any ideas?
Is there something that gets changed when you go from nightly/aurora to beta?

All tests run with an empty profile.
Weird stuff! Could you try to keep the "Network" panel in dev tools open while opening the site, and compare the requests in a working and broken build? If the number/order of requests or size of responses changes it might give us an important clue.

Comment 7

4 years ago
(In reply to Marc Auslander from comment #5)
> I'm afraid what ever is going on is bizarre. 
> 
> Facts:
> 
> firefox 30 release works correctly
> firefox 31B2 - latest beta works correctly
> nightly as far back as one of the version 28 nightlys fails!
> the last nightly for version 31 built 4/28 fails
> aurora 32A fails
> 
> Any ideas?
> Is there something that gets changed when you go from nightly/aurora to beta?
> 
> All tests run with an empty profile.

It's probably due to some feature / thing that's turned on on Nightly/Aurora and not on beta? Maybe? It'd still help to find the regression window on Nightly (might be before 28), in addition to what Hallvord said. It could also be that they do user agent detection in a way that detects the branding, although AFAICT most of the web-facing things we do shouldn't have a branding difference (UA string, navigator.appName, navigator.appCodeName) - maybe I'm missing one?
(Reporter)

Comment 8

4 years ago
Last good revision: 08a034e1d43a (2013-02-23)
First bad revision: 195e706140d1 (2013-02-24)

I don't know how to save the debugger network output to compare runs.
Marc,

Save as HAR is not implemented yet. Bug 859058
The only way to make the comparison is either put a proxy in between or rely on a screenshot.
Be careful to not leak private information by doing that.
Flags: needinfo?(marcausl)
(Reporter)

Comment 10

4 years ago
I don't know how to fetch the change log for the regression interval I reported above.  Maybe something will pop out if someone who knows something (not me :-) looks at it.
(Reporter)

Comment 11

4 years ago
Someone should look at https://hg.mozilla.org/mozilla-central/rev/076b8758ecb0
from
https://bugzilla.mozilla.org/show_bug.cgi?id=818340

It has code which is turned off for the release.
Flags: needinfo?(marcausl)
So it doesn't seem to be a Tech Evangelism bug. Should we move that to an appropriate Product/Component.

Comment 13

4 years ago
(In reply to Marc Auslander from comment #10)
> I don't know how to fetch the change log for the regression interval I
> reported above.  Maybe something will pop out if someone who knows something
> (not me :-) looks at it.

http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=08a034e1d43a&tochange=195e706140d1

That does indeed have bug 818340 in it. Which was then later disabled for release. However... this is just a pref setting.


Marc, if you use nightly on this site, and in about:config, set network.cookie.cookieBehavior to '0', does that fix your issue?


It sounds like the site is relying on third-party cookies from a place that you don't explicitly visit. That would IMO still be a tech evangelism issue, but let's mark this blocking anyway.
Blocks: 818340
Flags: needinfo?(marcausl)
(Reporter)

Comment 14

4 years ago
That pref "fixes" the issue.

IMHO you need to decide about this check and either go forward or turn if off always by default, leaving the pref for explicit testing.
Flags: needinfo?(marcausl)
Summary: coned.com customer site bill access broken on fx 33 → coned.com customer site bill access broken on non Release builds
I don't see any issues at http://coned.com/
Please reopen if there is a specific tech evangelism issue. If it's a different issue move to the right component.
Closing as worksforme.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.